Telstra - QUESTnet
Download
Report
Transcript Telstra - QUESTnet
Click to edit Master text styles
Telstra
Third level
Security Operations
Centre
(T-SOC)
Fourth level
QuestNet
Fifth level
Second level
Telstra Enterprise and Government
[Insert Title Here]
September
Version 1.2
2009
Draft – Preliminary Work Product
Andy Solterbeck
Security Context
• Major Security Themes:
• Frequency, size and duration of attacks are increasing
• Attacks are being mounted from all layers of the network
• Attacks from outsiders are increasing as a percentage of all
attacks
• Attacks from organised crime now form the majority of
attacks
• Security incidents have significant consequences:
•
•
•
•
•
•
Damage to reputation and brand
Loss of stakeholder confidence
Loss of revenues
Loss of customers
Regulatory action/sanction
Litigation/legal action
• Within the last 6 weeks more than 12 Organisations have been under attack
Telstra has the Capability to Deliver A Unique Value Proposition
1.
2.
3.
Target market
value drivers
Ensure business continuity
Realise ROI in security (including opportunity cost of capital)
Business risk mitigation: Compliance, Brand, Shareholder Price
Visibility
Target market
capability
requirements
Capacity
1. Recognise threats quickly and
accurately
2. Rapidly respond with right
solution to prevent and to recover
Capability
3. Demonstrate the investment in
security precautions reflects the
risk profile of my enterprise
Certification
TSOC
• View Security Events core and Customer
• People (Cleared)
• Process (DSD Approved)
• Tool (End to End Visibility, Portal)
• Business Case in Development
Better AE Engagement
Highly Secure Network
• Encrypted Overlay (Service)
• People (Cleared)
• Process (DSD Approved)
• Tools (Project Enterprise)
• Business Case in Development
Marketing Engagement
See http://www.in.telstra.com.au/ism/enterpriseandgovernmentsales/security.asp
Secure Services
• Secure Gateways, UC & Voice
• Requires Data Centre Facility (T4)
• People (Cleared)
• Process (DSD Approved)
• Tools (Cisco/EMC/RSA/VMWare)
• Secure TIPT
Project Enterprise
Security Consideration: Capacity
• Telstra maintains 100% physically separate Internet and Private IP
networks:
-
Significant events on one network are isolated from the other logically and
physically.
Internet and corporate traffic is physically separated from the Internet.
• Capacity is maintained in both networks at a level exceeding all
other Australian providers allowing Telstra to manage extreme traffic
events without customer interruption:
-
An Internet based DoS attack is isolated from critical business traffic. Even an
attack of unprecedented scale on Telstra infrastructure would not affect traffic
within the private IP Network (branch, call centre, corporate)
Telstra
Corporate IP Data
Corporate IP Voice
Optus
NextIP
Corporate IP Voice
Corporate IP Data
Internet/IP Core
Internet
Good Traffic
Large Attack
Cleaning
Large Attack
Good Traffic
Security Consideration: Visibility
• Telstra gathers detailed telemetry from all layers and devices in our
networks to understand emerging threats and challenges. All data is
integrated into Telstra Security Operations Centre monitoring.
• Telstra engages in a worldwide security community enabling the
engagement of global peers in mitigation of security incidents and
the gathering of intelligence where required.
• To fully protect customer, the Service Provider must have end-end
visibility of all circuits that carry ANZ traffic. Any handoff to alternate
carrier network is a vulnerability.
Telstra
Monitor & Manager
Optus
Transport
Network
Network
Data Link
Physical
Gap
Transport
Data Link
Physical
Telstra Provides visibility at all network layers ensuring attacks
are dealt with regardless of origin
Security Consideration: Capability Core
• The Telstra Security Operations Centre provides 24/7 monitoring
across Telstra infrastructure using state of the art correlation tools
and process all within a ASIO T4 certified centre.
• Any issues are escalated to the Telstra Computer Emergency
Response Team (T-CERT), a dedicated security team to manage
incidents.
• T-CERT engages any required resources from all operational and
SME teams to investigate, mitigate and resolve any identified
issue.
• T-CERT engages Telstra’s Network Hardening Teams to review
the incident, quantify the lessons learned from the incidents and
protect all other Telstra environments against similar classes of
attack vector.
Security Consideration: Certification
• Independent verification and validation of Security capability allows ANZ to
more quickly and easily meet regulatory compliance requirements
• Regulations:
• Why Telstra is Uniquely Capable of handling this requirement:
-
Telstra has achieved ISO 27001 on it IPMAN, IPWAN and IPWireless
Telstra has achieved T4 certification of the NPC facilities
Telstra has Secret cleared staff in the Network Protection Centre
Telstra has DSD approved Secure Gateways Infrastructure to meet the security
requirements of Commonwealth customers
Telstra can assist in meeting ANZ’s Network Centric
Regulatory Compliance requirements to decrease risk and
cost of compliance
Security Consideration: Governance
• Telstra takes security seriously and is organised to ensure that it is
central to all capability development
- Executive Steering Committee: Overall Governance: Group Managing
Directors , CFO, Head of Corporate Security, CTO, CIO
- Security Working Group: Executive Directors , Directors , SME
Manage all security programs across the company
- Security Centre of Excellence
Internal and External Security Consulting
Engaged with all large customers
- Network Security
General Manager Network manages all aspects of Network and Internal Security
- Enterprise & Government Security Services
Director Security Services manages all customer facing Security capabilities
- Security Customer Advisory Group
CSO’s from key accounts meet to discuss key issues.
Telstra sets out plans and issues for discussion
Telstra has more than 350 dedicated Security personnel
Offerings
Single View
of Customer
Security
Posture
Security Solutions - Service Management (SIEM)
•
•
•
•
Additional
Security
Services
•
Security
Consulting
Policy, frameworks and strategy
Risk Management
Security auditing & assurance
Business continuity Security arch &
design
Certifications
Managed Security
Solutions
Network Based
Security Solutions
•
•
•
•
•
Internet Gateways
Extranet Gateways
Internet protection (mail & web
protect & control)
Remote Working
Denial of Service Protection
•
•
•
•
Managed Firewall
Managed Intrusion Protection
Managed Antivirus & Content
Security
Vulnerability Management
Security Certified IP Networking Products
Operate the
Network
Securely
• IPWAN
• IPMAN
• IPWireless
• All certified to ISO 27001 security standard
Security Service Management
Key features:
• Collects, analyses, stores and
reports on event data and log
information from heterogeneous
devices, systems, and applications
throughout an enterprise’s ICT
infrastructure
Security Service Management (SIEM)
Single View of
Customer
Security
Posture
Security Consulting
•
Additional
Security
Services
•
•
•
•
•
Operate the
Network
Securely
Policy, frameworks
and strategy
Risk Management
Security auditing &
assurance
Business continuity
planning
Security architecture &
design
Certifications (eg to
ISO27001)
Network Based
Security Solutions
•
•
•
Internet Gateways
Extranet Gateways
Internet protection
(mail & web protect &
control)
Remote Working
Denial of Service
Protection
•
•
Managed Security
Solutions
•
•
•
•
Managed Firewall
Managed Intrusion
Protection
Managed Antivirus &
Content Security
Vulnerability
Management
Customer
Security Certified IP Networking Products
•
•
•
IPWAN
IPMAN
IPWireless
•
Value Proposition:
All certified to ISO 27001 security standard
• Reduce risk of network down time
or data loss due to security
incidents
Service
Interface
(Portal +
Service Desk)
• Achieve this without requiring
complex technology or specialist
expertise
Intelligent
Analysis
Differentiators:
Policy Manager
Information Sources
Core
Network
Customer
Network
Customer
End Points/
Devices
• Includes information from network
based services
• Network delivered
• Integrated view
T-SOC Program Overview
The T-SOC will deliver the following streams of work:
• Secure Service Management Facility – the building of ASIO T4 accredited
facilities in Canberra and Sydney
- The building of a primary T4 staff facility in Canberra replacing the Don Gray T4 people
facility. This will provide flight deck space for the TSOC as well as workspace for staff
supporting Government security accredited products – Managed Security, Secure MNS,
Secure TIPT, Secure UC etc.
- The building of a secondary T4 staff facility in Elizabeth St Sydney to a disaster
recovery site for the T-SOC monitoring staff
• Toolset (Predominantly delivered by ”Project Enterprise”).- This project is to
deliver all the necessary tools required to operate the T-SOC, e.g. SIEM,
Scanners. Ticketing, problem and change will be delivered by standard tools.
• People, Process and Roles, Responsibilities (PPRR) – This project will deliver all
the documentation required to operate the T-SOC.
• Web Portal (Leveraging TE&G Customer Portal) – This project will provide the
Web presence for the T-SOC. The Web Portal will be the primary interface with
customers providing reporting (security, problem and change management, etc),
Security Bulletins, Threat Landscape, etc.
What would a T-SOC Look Like?
Unified Service Desk
All ticketing performed and
managed by the unified service
desk
Network
Operations
(CNO & EO)
NOC
Monitor security events from
logs and correlation engine
as well as announced
vulnerabilities and patches
Security
Monitoring
Security
Operations
(CNO & EO)
In addition to raw security
logs from devices, relevant
event from the network
monitoring tools will be fed
into the corelation engine
Portal
CERT
Team
SOC
Network
Monitoring
MNOC
Correlation
engine
Netview/Infovista
All device up/down and
generic health monitoring
done here for Network and
Security devices
Shared, multi –tenanted tool.
This will take log feeds from
devices under shared
management or dedicated
CERT team has small # FTE
– virtual resources drawn in
from OPS and PS as needed
for incidents
Over time this could
merge with Network OPS
as skill and technology
develops
12
Commercial in Confidence – Version 1.0
Function of the T-SOC?
• In real time, manage and monitor firewalls, intrusion detection
and prevention systems, DDoS mitigation systems, anti-x
solutions, patch updates, endpoint assets, and other security
products.
• Analyse security log data, vulnerability information, asset
information, and alerts
• Immediately respond to potential security threats and quickly
resolve security problems
• Offer real-time views of the customers security postures
• Defend customers against emerging network attacks
• Protect customers technology investments
13
Commercial in Confidence – Version 1.0
What are the benefits of a T-SOC
• Effectively deal with Security Incidents
The T-SOC would give customers the ability to move from a reactionary posture to one of preparedness. Rather than
scrambling to respond to a security breach, the T-SOC would have a well-established processes to follow, to move
fast and effectively, to isolate, contain, and diffuse the threat.
• Reduces Risks to Customers
The T-SOC will enable customers to minimize security-related network downtime. By keeping pace with evolving
threats, the T-SOC will better protect customers’ data traffic from loss or manipulation.
• Improves Security Response
The T-SOC systematically analyses potential reasons for traffic abnormalities and appropriately elevates the events.
By moving quickly, the T-SOC can deal with security incidents in minutes – not hours or days – greatly lessening
potential disruption to customers critical services and business processes.
• Enhances Operational Efficiency
By defining security rules and policies, the T-SOC specialists will be able to quickly identify threats and apply
remedies to customer sites at risk before network attacks hit them.
• Comply with Regulations
Customers often need to comply with regulations and policies governing the use, protection, or privacy of information.
Customers can use reports that the T-SOC can generate, to help adhere to these regulations and policies, including
the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act, and the data-security storage
requirements associated with the payment card industry.
14
Commercial in Confidence – Version 1.0
TSOC Solution Architecture
The TSOC
TSOC Solution Architecture Detail
Trouble Ticketing
Customer Incident &
Notifications
TE&G Portal
Ticket
Creation/
Update
SIIAM
HTTP Links embedded
in TE&G Portal
IV
Reports
INTERDAM
Account-01
Escalation to Interdomain
Ticket
RCA and ticketable
Updates
alarms
PE – NSA Cache
Enrichment data &
Seeding to ISM
Operations
PE-Netcool
Operations
Display
Layer
Object
Servers
Object
Servers
Processing
Layer
Object
Servers
Object
Servers
Collection
Layer
Object
Servers
Object
Servers
PE –
Repository
Probes
PE – BO
Reporting
syslog
PE –
CMIBOSS
Syslog-NG
Probes
PEIL
(PE-ROSMAP)
SNMP V3
Impact
Alert
Processor
Correlation
Requests initiated
via Impact
Netcool
Alm Fwder
ISM
PE –
ConfigProvisioning
App
RCA Rules
Ops State
Monitor
Alert
Transient
Store
Discovery &
Reconciliation
Performance
metrics from
EMS (csv files)
Cisco
CUOM
Security
Appliance
CMI (or
EDN)
Account-01
VistaPortal
R&E
VistaMart
Vista
Bridge
Vista
Servers
Vista
Discovery
Single
Sign-on
Siteminder
(1) ICMP/SNMP Ping requests
(2) SNMP Traps for
non-EMS managed devices
(switches & routers)
NetForensics
User authentication for
CPE will be done via
ACS
Customer Networks
Leverages components
in Cisco ROS Solution
Legacy Applications
Cisco
CallMan
ager
Account-01
IV Polling & Discovery
CMI
Operations
LDAP
Integration
ACS
CPE Device
Configs
Manual Provisoning
For EM7 and CUOM
IV
Seeding
Inventory
feed
CNS-DI
PE – Infovista
User
Authentication
EM 7
Update
Inventory data
Rules
Config UI
Alert
Publisher
SNMP V3
SNMP V3
PE – CorrelationEngine
Webtop
Server
Omnibus
Alarms / Events
(View/Update)
Inventory/Eligibility
Cisco
Unity
Telepresence
Managed DMZ
Security Zone Model
External to company
Key features:
Internal to company
Secure Administration
DMZ
External
Controlled
Business
Applications
Secure Data
Storage
Business
Applications
Secure Data
Storage
Internal Users
and Systems
• Security focused management of
devices located in a DMZ (eg web
content security, proxies, load
balances, VPN concentrators etc)
• Customer site or Telstra Hosted
(business partners)
Value Proposition:
DMZ
for Service
Presentation
• 24x7 service without the cost
Internal Users and Systems
External
Uncontrolled
• Specialist expertise
(Internet and wireless)
Denotes a security device
Increased trust into company
Source: Keith Price
Specific Differentiators:
• Single Provider
Manage the
whole DMZ
environment
• Linked to internet delivered
features (eg DOSP, Content
Security)
End Point Security
Key features:
Protect endpoint devices
• Prevent non-compliant devices from
Connecting to a customer network
• Secure the end-point device itself
(eg antivirus, Firewall, intrusion
prevention)
• All with centralised policy control and
reporting)
The Internet
Customer
Network
Value Proposition:
• Reduced threat from uncontrolled
devices.
• Controlled and managed from within
the customer network
• 24x7 service without the cost
• Ensure policy compliance
Prevent
High Risk
devices from
connecting
to the
network
Specific Differentiators:
• Network delivered (phase 2)
• Integrated view
Secure Managed Network Services
Key features:
Encrypt traffic
from the edge
router &
manage
security
relevant log
data
Overlays on MNS for:
• Secure Wireless LAN: Who has
access for what purposes
• Encryption over MNS networks
• Log Management on network
devices
Value Proposition:
Customer
Network
Control who
has wireless
access for
what
purpose
• Option for high security features
to meet to end compliance
requirements (eg PCI, Finance
industry)
Specific Differentiators:
• Network integrated & managed
• Integrated view